While trying to understand how a web server worked, I came accross this:

//myfile.js
function donothing(){};

//myfile.html
javascript:donothing(open('.jpg','','left=100, right=0, top=100, scrollbars=no, status=no, titlebar=no, resizable=no, toolbar=no, menubar=no, width=255, height=255'))

I'm no JavaScript expert, so I don't get how an empty function can be made to work. Does someone know?

Thank you.

While trying to understand how a web server worked, I came accross this:

//myfile.js
function donothing(){};

//myfile.html
javascript:donothing(open('http://www.acme.com/whatever.jpg','','left=100, right=0, top=100, scrollbars=no, status=no, titlebar=no, resizable=no, toolbar=no, menubar=no, width=255, height=255'))

I'm no JavaScript expert, so I don't get how an empty function can be made to work. Does someone know?

Thank you.

• javascript

6 Answers 6

This is a homemade void substitute to avoid having the expression return a value.

window.open will return a reference to the opened window, and this can have unexpected results.

For instance, try pasting javascript:a=1 into the address field - this will result in a blank screen with the number 1 in it as the browser will by default try to use the result of any expression run as the new document.

To avoid this you use javascript:void(a=1) as void will not return anything, and so the result isn't used as the new document.

Using donothing(foo=bar) or the equivalent Function.prototype(foo=bar) is not needed as the built-in void does the exact same.

But mind, the use of void is only needed when copying text into the address field, its not necessary when you use the pseudo protocol javscript: in links (which you should never do anyway).

The one that does the work is open(...). The operands are evaluated first before the function is called (and Javascript doesn't care about the number of operands to the function).

The donothing function is passed a parameter that it ignores. It is the parameter itself that does the work, however.

the call to donothing is just acting as a shroud. The open function is being called before donothing.

Apparently whomever wrote it felt the naked javascript: call was vulnerable. Strange.

Well, although it is difficult to understand the point of donothing without seeing the rest of the code... the open function will be evaluated anyway. So effectively what is happening is that the open function is being called.

Why they're using donothing to do it is difficult to say without other info :)

But mind, the use of void is only needed when copying text into the address field, its not necessary when you use the pseudo protocol javscript: in links (which you should never do anyway).

Not 100% true. If you write, in html, <a href="javascript:1+2;">clickme</a>, many browsers will still give you an empty screen with the return value that evaluates to true in Javascript. That's the precise reason to use the void operator in <a> tags also when you, for example, auto-generate tags in a template language.